Research Team revealed publicly shortcomings in two AWS tools that could have allowed unauthorized access to accounts and used to leak sensitive files. Both bugs have been fully fixed.
The first flaw, called Superglue, was a problem in AWS Glue, which users could exploit to gain access to other AWS Glue users’ money.
AWS calls Glue the system of “cookieless data integration”, which lets it identify, prepare and combine data for analytics, machine learning, and application development. It’s fair to say that AWS customers use it to manage large amounts of data. AWS lets Glue users store up to one million objects for free.
Its easy to identify the AWS Glue feature that can be exploited to secure credentials to a role within the AWS services’ own account, gaining full access to the internal service API. In combination with an internal misconfiguration in the Glue internal service API, we expanded the privileges on the account to the point where we had unrestricted access to all resources for the service in the region, including full admin privileges.Researchers statement
The company says that it was able to exploit this flaw to:
- Assume roles in AWS customer accounts that are trusted by the Glue service. In every account that uses Glue, there’s at least one role of this kind.
- Query and modify AWS Glue service-related resources in a region. This includes but is not limited to metadata for: Glue jobs, dev endpoints, workflows, crawlers, and triggers
The ability to gain access to the information managed by other AWS Glue users through numerous accounts that it controlled. The company didn’t gain access to anyone else’s data while researching this flaw. AWS responded to its disclosure within a few hours, had a partial mitigation the next day, and fully mitigated the problem few days later.
That second fail did not damage AWS CloudFormation, which states awd that you can design, provision, and manage the AWS and other third-party resources by following the code. Among the companies looking to make setting up and maintaining their networks and tools more convenient as they shift to the cloud, this paradigm grew popular.
The second flaw BreakingFormation could have been used to steal sensitive files found on the vulnerable service machine and make requests for serverside stories (SSRF) vulnerable to the unauthorized disclosure of credentials of internal AWS infrastructure services. The flaw was completely mitigated within six days of its disclosure to AWS.